HTTP-01 challange pending forever

I am trying to transition to a HTTP-01 issued star domain certificate from a DNS-01 certificate for our companies website. We are using acme-tiny.

My Domain is:
scalgo.com

I run:
openssl req -new -sha256 -key privkey.pem -subj “/” -reqexts SAN -config <(cat /etc/ssl/openssl.cnf <(printf “[SAN]\nsubjectAltName=DNS:scalgo.com”) ) > domain.csr

acme-tiny --account-key ./account.key --csr ./domain.csr --acme-dir /web/challenges/ > ./signed_chain.crt

acme-tiny start a certification and gets a challange that we should serve at
http://scalgo.com/.well-known/acme-challenge/dLsrhLXw2soZBSKIwVxkBsjKxup9bcSCD0jCmse0afQ
using our nginx server. (Which we do, as you can validate).

It then gets stuck on verifying, acme-tiny requests the url
https://acme-v01.api.letsencrypt.org/acme/challenge/xxxxxxxxxxxxxxxxxxxxy3lx0XIDTSqdlxxxxxxxxxx/xxxxxxxxxx2

where it gets the response.
{“type”: “http-01”, “status”: “pending”, “uri”: “https://acme-v01.api.letsencrypt.org/acme/challenge/xxxxxxxxxxxxxxxxxxxxy3lx0XIDTSqdlxxxxxxxxxx/xxxxxxxxxx2”, “token”
: “dLsrhLXw2soZBSKIwVxkBsjKxup9bcSCD0jCmse0afQ”}

It then retries over and over again, but the status keeps on being pending, for at least 8 hours.

We also have a number of other domains we also want in the certificate, for instance www.scalgo.com and beta.scalgo.com. If i put only thoughs in the request without scalgo.com, acme-tiny produces a certificate almost immediately. If i include also scalgo.com it hangs on scalgo.com indefinitely.

Am I doing something wrong. Is there some special procedure one should go through to switch from a DNS-01 cert to a HTTP-01 cert?

Hi @antialize

pending means: Your client doesn't send the "hey, server, the challenge is created, please check it" command to Letsencrypt.

So Letsencrypt waits that your client sends this command.

Why? I have no idea.

Is there an update of acme-tiny?

Or acme-tiny tries to do a local check, that local check doesn't work. So acme-tiny tries it again and again.

Is there an option to cancel such a local check?

PS: Checking your domain there is no real problem visible - https://check-your-website.server-daten.de/?q=scalgo.com

http works, /.well-known/acme-challenge works with a redirect www -> non-www.

Works something like

curl http://scalgo.com/.well-known/acme-challenge/1234

internal? A http status 404 - Not found is expected.

Hi Juergen. I used the acme-tiny from ubuntu 18.04 lts. I tried with the latest from git and everything just worked. Thanks.

3 Likes

Ah, thanks - so your older client had a bug, now it's fixed :+1:

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.